Shulou(Shulou.com)06/01 Report--

Information security construction is a very meticulous and important work. To do a good job in information security construction, it is first necessary to conduct in-depth and comprehensive research on the historical situation of the organization's informatization development, know the background and master the situation, and carry out overall development planning for the main contents of information security.

In the previous article, we understand the purpose of information security construction, this article we introduce the leader of information security construction-information security strategy.

Information security policy is the foundation of an effective information security program. The centrality of information security policy is becoming more and more evident from the events occurring in the field of information security. For example, without security policies, system administrators will not be able to install firewalls securely. Policies specify what access controls are allowed, protocols, and how security-related events are logged. While information security policies are inexpensive ways to enforce controls, they are also the most difficult to enforce. Strategies cost only the time and effort it takes to create, approve, communicate, and integrate them into daily behavior. Even hiring outside consultants to assist in strategy development is less expensive than other control methods, especially technical control. Policy development is required to achieve the following goals: reduce risk, comply with laws and regulations, and ensure continuity, information integrity, and confidentiality of the organization's operations.

Information security policy should be driven primarily by the nature of the information processed and used by the organization. Organizations provide internal information systems for executives, board members, strategic partners, and employees. Understanding the nature of information in information systems can provide useful evidence for strategy development. Emphasis should be placed on employees who have a deep understanding of information systems and present key characteristics of the organization's current information, including what information is sensitive, valuable, and critical.

A recent risk assessment or information audit should be consulted when developing a comprehensive information security strategy to gain a clear understanding of the organization's current information security needs. A summary of security incidents that have occurred is also a valuable source of information. Meetings are also needed with relevant people, such as chief information officers, physical security directors, information security directors, internal audit directors, and human resources directors.

To determine which areas require further attention, collect all relevant policy documents currently in place for your organization, such as computer operations policy, application development policy, human resources policy, and physical security policy. International standards and industry standards can also be referenced for guidance. The work of the data collection phase is very important and is often simplified due to workload and implementation difficulty. Incomplete data collection and insufficient research can lead to new information security policies that are not consistent with the true needs of the organization. There is also no way to ensure that the requirements in the policy are aligned with management objectives. It is even more embarrassing to propose a strategy that is clearly inconsistent with the organizational culture.

Another function of a thorough survey of the status quo before developing a strategy is to clarify the internal information system architecture. Information security policies should be consistent with and fully supportive of existing information system structures. This is not for information security architecture, but for information systems architecture. Information security policy is usually formulated after the establishment of information system architecture to ensure the implementation and operation of information security system. Internet access control policies, for example, externalize security architecture and facilitate the selection and implementation of appropriate firewall products.

After collecting the materials mentioned above, that is, after the completion of the research phase, start to develop the first draft of the information security strategy document based on the previous research data. After the first draft is completed, it should be looked for to directly relevant personnel for a small-scale review. After revising the feedback, gradually expand the scope of the review. When all support departments make changes, they are reviewed by the Information Security Management Committee.

The formulation process of information security strategy has high policy and personality. Repeated review process can make the strategy clearer, simpler and easier to implement. Therefore, it is necessary to mobilize participation enthusiasm rather than resistance in the review process.

The final step in the review process is usually signed by the general manager, president and CEO. It should be indicated in the personnel contract that compliance can be achieved and that this is a condition for continued employment. It should also be distributed prominently on internal servers, web pages, and some publicity boards, with the signature of senior management to indicate that the information security policy document has strong support from senior leaders. If it's not practical to have the CEO sign, the CIO can. It should be noted that the signature of the head of the information security department or a department head at the same level is generally not sufficient to indicate the approval and support of senior management. Although obtaining top management approval is difficult to implement, experience shows that top support is very important for the implementation of strategies.

Generally speaking, during the review process of information security strategy documents, they will be reviewed and revised many times by all parties within the organization, among which the most important is the Information Security Management Committee. Information security committees are generally composed of information department personnel, and participants generally include members of information security, internal audit, physical security, information systems, human resources, legal, finance and accounting departments. Such a committee essentially oversees the work of the information security department and is responsible for screening and refining the submitted policies for better implementation throughout the organization. If the organization does not already have an information security management committee, it is a good time to establish a management committee while developing an information security strategy, or to have the responsibility of a similar function already existing within the organization.

Although new security policies are developed, there must also be a proper implementation process. If these policies are not implemented, they will have no effect. An unimplemented policy may be worse than no policy at all, because it will teach employees to cheat and question the internal execution of the organization. It may also fool managers into thinking that information security issues have been dealt with although reality is another matter.

Management often assumes that employees behave in the best interest of the organization, which is an ill-conceived idea. Although strategy is unlikely to affect employees 'personal values, management can use strategy to provide opportunities for employees to align themselves with the organization's interests. Strategies tell employees what the organization expects of them.

New policies should be discussed internally within IT or Audit before they are released. The implementation of the new strategy may encounter diversification problems. The effectiveness of strategy execution can be guaranteed by performance evaluation and corresponding reward and punishment system. Finding and punishing employees who violate policies is not the goal. If a large number of people do not comply, this indicates that the strategy and associated awareness raising is ineffective. In this case, it is necessary to find more effective ways to implement or modify the strategy to better reflect the organizational culture.

The above is a summary of the work of Software Evaluation Center of Shandong Province for many years. I hope it can bring help to everyone. I hope to correct the shortcomings.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.